National Information Assurance Program Common Criteria Evaluation and Validation Scheme

1
National Information Assurance ProgramCommon
Criteria Evaluation and Validation Scheme

• Jean H. Schaffer
• NIAP CCEVS / NSA V13
• (410) 854-4458

2
National Information Assurance Partnership
Partnership to meet the security testing needs of
IT producers
3
Common Criteria Evaluation and Validation Scheme
(CCEVS)

• Objective
• Test Security Properties of Commercial Products
• Approach
• Tests performed by Accredited Commercial
  Laboratories
• Validity/Integrity of results underwritten by
  NIAP
• Results posted for public access

4
Common Criteria Evaluation and Validation Scheme
(CCEVS)

• Evaluates conformance of the security features of
  IT products to the International Common Criteria
  (CC) for Information Technology Security
  Evaluation.
• Issues Certificates to vendors
• for successful completion
• of evaluations.
• Not an NSA or NIST endorsement
• Not a statement about
• goodness of product

5
U.S. Approved Common Criteria Testing
Laboratories

• Cable Wireless Systems Columbia, Maryland
• Booz, Allen Hamilton Linthicum, Maryland
• COACT, Inc. Columbia, Maryland
• Computer Sciences Corp. Annapolis Junction,
  MD
• CygnaCom Solutions, Inc. McLean, Virginia
• InfoGard Laboratories, Inc San Luis Obispo,
  CA
• Science Applications Intl Corp. Columbia, MD
• .. More Applicants Received

6
Common Criteria Recognition Arrangement (CCRA)

Expressed Interest
US
Canada
UK
Germany
France
Australia/New Zealand
Netherlands
Finland
Italy
Norway
Spain
Israel
Greece
Sweden
Austria
Russia
Japan
South Korea
7
Common Criteria The International Standard

• What the standard is
• Common structure and language for expressing
  product/system IT security requirements (Part 1)
• Catalog of standardized IT security requirement
  components and packages (Parts 2 and 3)
• How the standard is used
• Develop protection profiles and security targets
  -- specific IT security requirements and
  specifications for products and systems
• Evaluate products and systems against known and
  understood IT security requirements

8
Common Criteria Sections

• Part 1 Introduction and General Model
• Part 2 Security Functional Requirements and
  Annexes
• Part 3 Security Assurance Requirements

9
Protection Profiles

• Answers the question
• What do I need in a security solution?
• Implementation independent
• Multiple implementations may satisfy PP
  requirements
• Authors can be both consumers and producers of IT
  products and systems

10
Security Targets

• Answers the question
• What do you provide in a security solution?
• Implementation dependent/specific
• Authors can be product vendors, product
  developers, or product integrators

11
UNCLASSIFIED
Evaluation Process Summary
VALIDATION
- Oversee- Review- Validate
EVALUATION
Commercial Evaluation Facility
- Analyze - Test - Document - Report
12
http//niap.nist.gov//cc-scheme
13
Governing Policies
14

• NSTISSP No. 11
• National Policy Governing the Acquisition of
  Information Assurance (IA) and IA-Enabled
  Information Technology Products that protect
  national security information.
• Effective 1 July 2002, all COTS IA and IA-Enabled
  products must be evaluated by
• International Common Criteria Mutual Recognition
  Arrangement
• NIAP Evaluation and Validation Program (CCEVS)
• NIST FIPS validation program

15

• NSTISSP No. 11 (cont.)
• The evaluation/validation of COTS IA and
  IA-enabled products will be conducted by
  accredited commercial laboratories, or the NIST.
• All GOTS IA or IA enabled products must be
  evaluated by NSA or an NSA approved process.

16

• National Information Assurance Acquisition
  Policy, dated 6 Aug 2002 (Guthrie Memo)
• If Government Protection Profile (PP) exist,
  products must get evaluated against PP.
• Minimum EAL2 for products with no PP.
• If product has not been evaluated yet, as
  condition of purchase, vendor must commit to
  having their product evaluated.
• Contracts shall specify product validation will
  be kept current via the NIAP Assurance
  Maintenance Program.
• Superseded by DODI 8500.2

17

• DOD Directive 8500.1, 24 OCT 2002
• All IA or IA-enabled products incorporated into
  DoD information systems must comply with NSTISSP
  11
• Products must be satisfactorily evaluated and
  validated either
• prior to purchase or
• If product has not been evaluated yet, as
  condition of purchase, vendor must commit to
  having their product evaluated.
• Purchase contracts shall specify that product
  validation will be maintained for subsequent
  releases.

18

• DOD INSTRUCTION 8500.2 12 FEB 2003
• Defines generic robustness levels of basic,
  medium, and high and assigns baseline levels of
  IA services dependent on value of information and
  environment
• If Government Protection Profile (PP) exist for a
  specific technology area
• products must get evaluated against PP.
• If no Government PP exist for a specific
  technology area
• as a condition of purchase, products must be
  submitted for evaluation at the appropriate EAL
  level as determined by ISSE and DAA.

19
Public Law 107-314, 2 DEC 2002

• Passed by House Armed Services part of Defense
  Authorization Bill
• Subtitle F Information Technology, Section 352
• Directs that Secretary to establish a policy to
  limit the acquisition of information assurance
  technology products that have been evaluated and
  validated in accordance with appropriate
  criteria, schemes, or programs. Authorizes the
  Secretary to waive such policy for U.S. national
  security purposes.

20

• NIST Special Pub 800-23
• Applies to U.S. Civil Government
• Recommends CC evaluations/validations

21

• National Strategy to Secure Cyberspace
• To enhance procurement of more secure IT
  products, the Federal Govt, by 4Q FY03, will
  complete a comprehensive program performance
  review of the NIAP to determine
• Cost effectiveness
• Targets a clearly identified security gap
• Has defined goals to close the gap
• Whether it is achieving these goals
• Whether program improvements, streamlining, or
  expansion are appropriate and cost effective

22
QUESTIONS ?

• Review of Common Criteria (CC)
• Important Web Sites
• CCEVS http//niap.nist.gov/cc-scheme
• Common Criteria http//commoncriteria.org
• NSTISSP No. 11 http//www.nstissc.gov/html/library
  .html
• Validated Products http//niap.nist.gov/cc-scheme/
  Validated Products.html
• Protection Profiles http//niap.nist.gov/cc-scheme
  /PP

The National Information Assurance Partnership /
Common Criteria Evaluation and Validation Scheme

23
Contact Information
For further information contact Jean H.
Schaffer National Security Agency 9800 Savage
Road, STE 6740 Fort George G. Meade, MD
20755-6740 jhschaf_at_missi.ncsc.mil phone
(410) 854-4458 http//niap.nist.gov/cc-scheme
fax (410) 854-6684